Merge pull request #735 from dune73/crs-pull-fixing-ddos

Fixing bug in 912160 (dos_burst_counter jumping from 0 to 2)

Author: lifeforms

rules/REQUEST-912-DOS-PROTECTION.conf

@@ -177,9 +177,16 @@ SecRule REQUEST_BASENAME ".*?(\.[a-z0-9]{1,10})?$" \
 #
 # Check DOS Counter
 # If the request count is greater than or equal to user settings,
-# we set the burst counter.
+# we raise the burst counter. This happens via two separate rules:
+# - 912160: raise from 0 to 1
+# - 912161: raise from 1 to 2
 #
-SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" \
+# This approach with two rules avoids raising the burst counter
+# from 0 to 2 via two concurrent requests. We do not raise the
+# burst counter beyond 2.
+#
+#
+SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
 	"phase:5,\
 	id:912160,\
 	t:none,\
@@ -189,9 +196,28 @@ SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" \
 	tag:'language-multi',\
 	tag:'platform-multi',\
 	tag:'attack-dos',\
-	setvar:ip.dos_burst_counter=+1,\
-	expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\
-	setvar:!ip.dos_counter"
+	chain"
+	SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
+		"setvar:ip.dos_burst_counter=1,\
+		expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\
+		setvar:!ip.dos_counter"
+
+
+SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
+	"phase:5,\
+	id:912161,\
+	t:none,\
+	nolog,\
+	pass,\
+	tag:'application-multi',\
+	tag:'language-multi',\
+	tag:'platform-multi',\
+	tag:'attack-dos',\
+	chain"
+	SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
+		"setvar:ip.dos_burst_counter=2,\
+		expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\
+		setvar:!ip.dos_counter"
 
 
 #